View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
17762 | Bug reports | Security | public | 2021-11-25 10:00 | 2022-01-05 14:12 |
Reporter | HonkXL2 | Assigned To | galads | ||
Priority | none | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Product Version | 5.2.x | ||||
Summary | 17762: vulnerable verson of jQuery used | ||||
Description | While performing a seurity scan on our servers, we got the result that a potentially vulnerable version of jQuery is used in the latest build of LimeSurvey. I don't know if this is really a problem, but I think it would be a good idea to bring this up-to-date. Here the result of the security scan: jQuery is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636 | ||||
Steps To Reproduce | Steps to reproducesecurity scan on server installed LimeSurvey Expected resultno found Actual resultvulerable version of jQuery found. | ||||
Tags | No tags attached. | ||||
Bug heat | 258 | ||||
Complete LimeSurvey version number (& build) | 5.2.3 211122 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | |||||
Database type & version | mariaDB 10.3 | ||||
Server OS (if known) | Debian 11 | ||||
Webserver software & version (if known) | Apache 2.4.x | ||||
PHP Version | 7.4.24 | ||||
And there is a second file: jQuery is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors jQuery < 1.9.0 XSS Vulnerability OID: 1.3.6.1.4.1.25623.1.0.141636 2021-06-11T08:43:18Z |
|
File is here, but not used. Low (none) security risk |
|
Best : remove it ;) |
|
I think unused files should be removed!? |
|
Feel free to remove it in dev branch, Denis. |
|
Or update third party ? |
|
I already synced it to Zoho. I will assign it to @DenisChenu |
|
jquery-autocomplete : https://github.com/LimeSurvey/LimeSurvey/pull/2160 |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2021-11-25 10:00 | HonkXL2 | New Issue | |
2021-11-25 10:02 | HonkXL2 | Note Added: 67546 | |
2021-11-25 10:02 | HonkXL2 | Bug heat | 250 => 252 |
2021-11-25 10:06 | DenisChenu | Note Added: 67548 | |
2021-11-25 10:06 | DenisChenu | Bug heat | 252 => 254 |
2021-11-25 10:06 | DenisChenu | Note Added: 67549 | |
2021-11-25 10:14 | galads | View Status | public => private |
2021-11-25 10:14 | galads | Bug heat | 254 => 260 |
2021-11-25 10:14 | galads | Zoho Project Synchronization | => |Yes| |
2021-11-25 10:14 | galads | Assigned To | => galads |
2021-11-25 10:14 | galads | Status | new => assigned |
2021-11-25 10:25 | HonkXL2 | Note Added: 67557 | |
2021-11-25 10:26 | galads | View Status | private => public |
2021-11-25 10:26 | galads | Zoho Project Synchronization | Yes => |Yes| |
2021-11-25 10:26 | galads | Bug heat | 260 => 254 |
2021-11-25 10:36 | ollehar | Note Added: 67558 | |
2021-11-25 10:36 | ollehar | Bug heat | 254 => 256 |
2021-11-25 11:02 | DenisChenu | Note Added: 67565 | |
2021-11-25 11:05 | galads | Note Added: 67567 | |
2021-11-25 11:05 | galads | Bug heat | 256 => 258 |
2021-11-25 12:25 | DenisChenu | Note Added: 67569 | |
2021-11-25 12:37 | DenisChenu | Note Added: 67570 | |
2021-12-07 18:27 | c_schmitz | Status | assigned => resolved |
2021-12-07 18:27 | c_schmitz | Resolution | open => fixed |
2022-01-05 14:12 | c_schmitz | Status | resolved => closed |